Top 10 Ethical Hacking Interview Questions and Answers

1. What is ethical hacking?

2. What are the different types of hacking?

3. What are the tools used for ethical hacking?

4. What is the difference between IP address and Mac address?

5. What is MIB?

6. What is footprinting?

7. What are the best sniffing tools?

8. What is DNS Cache Poisoning?

9. What is a phishing attack?

10. What are the types of password cracking techniques?

Beginner Level Ethical Hacking Interview Questions

1. What is hacking?

Hacking refers to unauthorized intrusion in a system or a network. The person involved in this process is called
a hacker. They use the computer to commit non-malicious activities such as privacy invasion, stealing
personal/corporate data, and more.

2. What is ethical hacking?

Ethical hacking is also known as penetration testing or intrusion testing where the person systematically
attempts to penetrate/intrude into a computer system, application, network, or some other computing
resources on behalf of its owner and finds out threats and vulnerabilities that a malicious hacker could
potentially exploit.

The main objective of ethical hacking is to improve the security of the system or network and fix the
vulnerabilities found during the testing. Ethical hackers employ the same tools and techniques adopted by
malicious hackers to improve security and protect the system from attacks by malicious users with the
permission of an authorized entity.

3. What are the types of hackers?

Based on the hacker’s motive and legality of actions, they are divided into three types:

• Black Hat: These hackers are responsible to create malware; they gain unauthorized access to a
system or network and harm its operations and steal sensitive information.

• White Hat: These hackers are also known as ethical hackers; they’re often employed by companies or
government agencies to find out the vulnerabilities. They never intend to harm the system instead find
out the weaknesses in the network/system as part of penetration testing and vulnerability
assessments.

• Grey Hat: These hackers are a blend of both white hat and black hat hackers; they find out the
vulnerabilities in a system without the owner’s permission or knowledge. Their intention is to bring the
weaknesses in the system to the owner's attention and demand some compensation or incentive from
the owner.

Apart from the above well-known hackers, there are miscellaneous hackers based on what they hack and how
they do it:

1
 • Hacktivist: The person who utilizes technology for announcing social, religious, or political messages.
Mostly hacktivism includes website defacement or denial-of-service attacks.

• Script Kiddie: The one who enters into the computer system using the automation tools written by
others and has less knowledge of the underlying concept, hence the term kiddie.

• Elite Hackers: This is a social message among hackers that describes the most skilled ones. Recently
identified exploits will circulate among these hackers.

• Neophyte: They are also known as green hat hacker or newbie who has no knowledge about the
workings of technology and hacking.

• Blue Hat: The one who is outside of computer security consulting firms try to attempt a bug test to a
system before its launch to find out the weaknesses and close the gaps.

• Red hat: They are a blend of both black hat and white hat hackers, usually employed by top security
agencies, government agencies, etc., that fall under the category of sensitive information.

4. What are the different types of hacking?

Based on the category of being hacked, hacking is divided into different types as follows:

1. Website hacking: It refers to unauthorized access over a web server and its associated software such
as databases and interfaces, and making changes to the information.

2. Network hacking: It refers to collecting data about a network using tools like Telnet, ping, etc., with
the intent to harm the network and hamper its operations.

3. Email hacking: It refers to unauthorized access to the email account and utilizing it without the
owner’s permission.

4. Password hacking: It refers to the process of recovering secret passwords from data that has been
stored in the computer system.

5. Computer hacking: It refers to unauthorized access to the computer and stealing the data such as
computer passwords and ID by employing hacking techniques.

5. What are the advantages and disadvantages of ethical hacking?

Advantages:

• It helps to fight against cyber terrorism and national security breaches.

• It helps to take preventive actions against hackers.

• Detects the weaknesses and closes the gaps in a system or a network.

• Prevents gaining access from malicious hackers.

• Provides security to banking and financial settlements.

Disadvantages:

• Might use the data against malicious hacking activities.

• May corrupt the files of an organization.

• Possibility to steal sensitive information on the computer system.

2
6. What are the tools used for ethical hacking?

The most popular ethical hacking tools are listed below:

• John the Ripper

• Metasploit

• Nmap

• Acunetix

• Wireshark

• SQLMap

• OpenVAS

• IronWASP

• Nikto

• Netsparker

Here’s a brief explanation of each tool you mentioned:

1. John the Ripper

• Purpose: A password-cracking tool.

• Use Case: Used to test the strength of passwords by brute-forcing or using dictionary attacks to find
weak or poorly secured passwords.

• Common Target: Unix/Linux, Windows, and other operating system passwords stored in hashed
formats.

2. Metasploit

• Purpose: A penetration testing framework.

• Use Case: Allows security researchers and penetration testers to find vulnerabilities, exploit them,
and even automate these processes.

• Common Target: Various systems, applications, and networks.

3. Nmap (Network Mapper)

• Purpose: A network scanning tool.

• Use Case: Used for network discovery and security auditing. It helps identify open ports, services, and
potential vulnerabilities in networks.

• Common Target: Network devices, servers, and systems.

4. Acunetix

• Purpose: A web vulnerability scanner.

3
 • Use Case: It is used to identify vulnerabilities like SQL injection, Cross-Site Scripting (XSS), and other
web-based security flaws.

• Common Target: Websites and web applications.

5. Wireshark

• Purpose: A network protocol analyzer.

• Use Case: Captures and analyzes network traffic in real-time. It helps to inspect packets to
troubleshoot networks or investigate security issues.

• Common Target: Network traffic from various protocols (e.g., HTTP, TCP/IP).

6. SQLMap

• Purpose: A SQL injection tool.

• Use Case: Automates the process of detecting and exploiting SQL injection flaws. It can be used to
extract data from databases and even gain control of the server.

• Common Target: Databases behind web applications.

7. OpenVAS (Open Vulnerability Assessment System)

• Purpose: A vulnerability scanner.

• Use Case: Used to scan networks and systems for known vulnerabilities. It provides detailed reports
on security issues and possible mitigation.

• Common Target: Networks, servers, and endpoints.

8. IronWASP

• Purpose: A web application security scanner.

• Use Case: It is designed to find security vulnerabilities in web applications. It has various modules for
detecting flaws like XSS, SQL injection, and others.

• Common Target: Web applications.

9. Nikto

• Purpose: A web server scanner.

• Use Case: It scans web servers for vulnerabilities like outdated software, dangerous files, and
misconfigurations.

• Common Target: Web servers and applications.

10. Netsparker

• Purpose: A web vulnerability scanner.

• Use Case: Used to detect security vulnerabilities such as SQL injection, Cross-Site Scripting, and
other common web flaws in websites.

• Common Target: Web applications, websites, and APIs.

7. What are the various stages of hacking?

There are mainly five stages in hacking:

4
 1. Reconnaissance: This is the primary phase of hacking, also known as the footprinting or information
gathering phase, where the hacker collects as much information as possible about the target. It
involves host, network, DNS records, and more.

2. Scanning: It takes the data discovered during reconnaissance and uses it to examine the network.

3. Gaining access: The phase where attackers enter into a system/network using various tools and
techniques.

4. Maintaining access: Once hackers gain access, they want to maintain access for future exploitation
and attacks. This can be done using trojans, rootkits, and other malicious files.

5. Covering tracks: Once the hackers are able to gain and maintain access, they cover tracks to avoid
detection. It involves modifying/deleting/corrupting the value of logs, removing all traces of work,
uninstalling applications, deleting folders, and more.

8. What is a firewall?

A firewall is a network security system that allows or blocks network traffic as per predetermined security
rules. These are placed on the boundary of trusted and untrusted networks.

9. What is the difference between encryption and hashing?

Hashing is used to validate the integrity of the content, while encryption ensures data confidentiality and
security. Encryption is a two-way function that includes encryption and decryption, while hashing is a one-way
function that changes a plain text to a unique digest that is irreversible.

10. What is the difference between IP address and Mac address?

IP address: For every device, an IP address is assigned. The IP address is a number allocated to a connection
of a network.

MAC address: A MAC address is a unique serial number assigned to every network interface on every device.

The major difference is MAC address uniquely identifies a device that wants to take part in a network while the
IP address uniquely defines a connection of a network with an interface of a device.

11. What is the difference between virus and worm?

Virus: It is a type of malware that spreads by embedding a copy of itself and becomes a part of other
programs. Viruses spread from one computer to another while sharing the software or document they are
attached to using a network, file sharing, disk, or infected email attachments.

Worm: These are similar to viruses and cause the same type of damage. They replicate functional copies of
themselves and do not require a host program or human help to propagate. Advanced worms leverage
encryption, ransomware, and wipers to harm their targets.

12. What do you mean by keystroke logging?

Keystroke logging is also known as keylogging or keyboard capturing. It is a type of surveillance software that
records every keystroke made on the keyboard. Every action made on the keyboard is monitored, and data is
retrieved by operating through the logging program.

13. What do you mean by Trojan and explain its types?

A Trojan is a type of malware that is often developed by hackers or attackers to gain access to target systems.
Users are manipulated by some attractive social media ads and then directed towards malicious sites into
loading and performing Trojans on their systems.

Types of Trojans:

5
 1. Trojan-Downloader: It is a type of virus that downloads and installs other malware.

2. Ransomware: It is a type of Trojan that can encrypt the data on your computer/device.

3. Trojan-Droppers: These are complex programs used by cybercriminals to install malware. Most
antivirus programs do not identify droppers as malicious, and hence it is used to install viruses.

4. Trojan-Rootkits: It prevents the detection of malware and malicious activities on the computer.

5. Trojan-Banker: These steal user account-related information such as card payments and online
banking.

6. Trojan-Backdoor: It is the most popular type of Trojan, that creates a backdoor for attackers to access
the computer later on from remote using a remote access tool (RAT). This Trojan provides complete
control over the computer.

14. What is Cowpatty?

Cowpatty is the implementation of the offline dictionary attack against WPA/WPA2 networks using PSK-based
authentication.

E.g. WPA-Personal

Most of the enterprises employ PSK-based authentication for WPA/WPA2 networks.

15. What do you mean by exploitation?

Exploitation is a part of programmed software or script that allows hackers to gain control over the targeted
system/network and exploit its vulnerabilities. Most hackers use scanners like OpenVAS, Nessus, etc., to find
these vulnerabilities.

16. What is enumeration in ethical hacking?

Enumeration is the primary phase of ethical hacking that is information gathering. In this phase, the attacker
builds an active connection with the victim and tries to gain as much information as possible to find out the
weaknesses or vulnerabilities in the system, and tries to exploit the system further.

Enumeration collects information about:

• Network shares

• Passwords policies lists

• IP tables

• SNMP data, if they are not secured properly

• Usernames of different systems

17. What are the different enumerations available in ethical hacking?

The different enumerations available in ethical hacking are listed below:

• DNS enumeration

• NTP enumeration

• SNMP enumeration

• Linux/Windows enumeration

• SMB enumeration

18. What is defacement?

6
Defacement is an attack in which the hacker changes the visual appearance of a web page or website. The
attacker replaces the firm’s site with an alternate page or sometimes opposite to the text of the website.

19. What is MIB?

Management Information Base (MIB) is a virtual database of network objects. It contains all the formal
descriptions of the network objects being monitored by a network management system. The MIB database of
objects is used as a reference to a complete collection of management information on an entity like a
computer network.

20. What is MAC flooding and how to prevent it?

MAC flooding is an attacking method that is used to compromise the security of the network switches. These
switches maintain a table structure called a MAC table that consists of each MAC address of the host
computer on the networks which are connected to the ports of the switch.

To prevent MAC flooding, use the following methods:

• Authentication with the AAA server

• Port security

• Implement IEEE 802.1x suites

• Employ security measures to prevent IP spoofing or ARP spoofing

Advanced Level Ethical Hacking Interview Questions

21. What is footprinting?

Footprinting is a technique used for collecting as much information as possible about the targeted
network/system/victim to execute a successful cyber attack. It also finds out the security posture of the
target. During this phase, a hacker can collect data about a domain name, IP address, namespace, employee
information, phone numbers, emails, and job information.

Footprinting is divided into two types:

Passive footprinting: It collects data of the target system located at a remote distance from the attacker.

Active footprinting: It is performed directly by getting in touch with the target machine.

22. What do you mean by fingerprinting in ethical hacking?

Fingerprinting is a technique used for determining which operating system is running on a remote computer.

Active fingerprinting: In this, we send the specially crafted packets to the target machine, and based on its
response and gathered data, we determine the target OS.

Passive fingerprinting: In this, based on the sniffer traces of the packets, we can find out the OS of the remote
host.

23. What is sniffing and what are its types?

Sniffing is referred to as a process of monitoring and capturing the data packets passing through a given
network. It is mostly used by system/network administrators to monitor and troubleshoot network traffic.
Sniffing allows you to see all sorts of traffic, both protected and unprotected. Attackers use this to capture
data packets having sensitive information such as email traffic, FTP password, web traffic, router
configuration, DNS traffic, and more.

Sniffing is divided into two types:

Active sniffing:
7
In this, traffic is not only locked and monitored but it may be altered in some way determined by the attack. It
is used to sniff a switch-based network. It involves injecting the address resolution packets into a target
network to switch on the content addressable memory table.

Passive sniffing:

In this, traffic is locked but not at all altered in any way. It works with hub devices, and traffic is sent to all the
ports. Any traffic that is passing through the unbridged or non-switched network segment can be seen by all
the machines on the segment.

24. What are the best sniffing tools?

The best sniffing tools are listed below:

• Tcpdump

• Wireshark

• Fiddler

• EtherApe

• Packet Capture

• NetworkMiner

• WinDump

• EtterCap

• dSniff

Here's a brief overview of the tools you've listed:

1. Tcpdump

• Purpose: A packet analyzer.

• Use Case: Used to capture and display network packets in real-time. It is commonly used for
troubleshooting network issues and analyzing network traffic.

• Common Target: Network traffic on Unix/Linux-based systems.

• Example: Filtering TCP/IP traffic to troubleshoot connectivity issues.

2. Wireshark

• Purpose: A network protocol analyzer.

• Use Case: Allows for deep inspection of hundreds of protocols and captures network traffic for
analysis. It can help in identifying security breaches, network issues, or abnormal behavior.

• Common Target: Network traffic across different platforms (Windows, Linux, macOS).

• Example: Analyzing HTTP, DNS, or SSL/TLS traffic.

3. Fiddler

• Purpose: A web debugging proxy.

• Use Case: Intercepts and logs HTTP/HTTPS traffic between a computer and the web, allowing
developers and testers to inspect and modify requests and responses.
8
 • Common Target: Web traffic for applications and browsers.

• Example: Analyzing API calls, troubleshooting web application behavior.

4. EtherApe

• Purpose: A graphical network traffic analyzer.

• Use Case: Provides a visual representation of network traffic, showing which hosts are
communicating and the protocols in use.

• Common Target: Network traffic on Unix/Linux systems.

• Example: Visualizing traffic patterns on a network in real-time.

5. Packet Capture (PCAP)

• Purpose: A term for capturing network data.

• Use Case: Refers to tools that capture raw network data, which can then be analyzed using tools like
Wireshark or Tcpdump.

• Common Target: Network packets across various systems.

• Example: Capturing network traffic for later analysis or debugging.

6. NetworkMiner

• Purpose: A network forensics tool.

• Use Case: Passively captures network traffic and reconstructs files, credentials, and other artifacts
from packet captures. Often used for security monitoring and digital forensics.

• Common Target: Captured network traffic for forensic analysis.

• Example: Extracting images, files, and user credentials from network traffic.

7. WinDump

• Purpose: A Windows-based packet analyzer.

• Use Case: The Windows version of Tcpdump, it captures and analyzes network packets. It is used for
troubleshooting and analyzing network traffic on Windows systems.

• Common Target: Windows network traffic.

• Example: Filtering and displaying specific types of network packets (e.g., TCP, UDP).

8. EtterCap

• Purpose: A network security tool.

• Use Case: Used for man-in-the-middle (MITM) attacks, sniffing network traffic, and performing
network protocol analysis. It can also inject malicious payloads into intercepted packets.

• Common Target: Local networks for sniffing or testing purposes.

• Example: Conducting a man-in-the-middle attack to capture sensitive information.

9. dSniff

• Purpose: A collection of network auditing and penetration testing tools.

9
 • Use Case: Used for intercepting and analyzing network traffic, including passwords and other
sensitive information transmitted over the network.

• Common Target: Network traffic for sniffing passwords and credentials.

• Example: Capturing plain-text passwords from FTP, HTTP, SMTP traffic.

These tools provide various functionalities for network analysis, ranging from simple packet capture to deep
network traffic inspection and even ethical hacking.

25. What is ARP poisoning?

ARP (Address Resolution Protocol) poisoning is also known as ARP spoofing or ARP Poison routing. It is a form
of attack where the attacker changes the MAC (Media Access Control) address and attacks the ethernet LAN
network by changing the target computer’s ARP cache with forged requests and reply packets.

26. How to prevent ARP poisoning?

ARP poisoning can be prevented by the following methods:

Packet filters:

These help in reducing the chances of attacks being successful. These filters analyses each packet that has
been sent over a network and filter out and blocks malicious packets that are suspicious.

Encryption:

Protocols such as SSH and HTTPS will also help you to reduce ARP poisoning attacks.

VPNs:

These are not suitable for larger organizations as each VPN connection needs to be placed between each
computer and each server. If it is only a single person trying to attack using public wifi, then VPN will encrypt
all the data that has been transmitted between the exit server and the client.

Static ARP entries:

This is suitable for smaller networks. This ARP is added for every machine on a network into a single individual
computer.

27. What is DNS Cache Poisoning?

DNS cache poisoning is a technique that exploits vulnerabilities in the DNS (domain name system) to divert
internet traffic away from legitimate servers and towards false ones. It is also known as DNS spoofing.

28. What is SQL injection and how to prevent it?

SQL injection is a type of injection attack that executes malicious SQL statements and controls the database
server behind a web application.

These attacks mostly take place on the web pages developed using ASP.NET or PHP.

These attacks can be made with the following intentions:

• To execute the different queries that are not allowed on the application.

• To change the content of the database

• To dump the entire database of the system.

10
The only way to prevent the SQL injection attack is input validation and parameterized queries including
prepared statements. The application code should never use the input directly.

29. What is Cross-Site scripting and how can you fix it?

Cross-Site Scripting (XSS) is also referred to as a client-side code injection attack. In this, the attacker intends
to execute malicious scripts on the victim’s web browser by including malicious code in a legitimate page or
web application. The actual attack occurs when the victim visits the page and executes malicious code, and
this web application actually becomes a vehicle to deliver the malicious script to the user’s browser. Forums,
web pages, and message boards that allow comments support cross-site scripting attacks.

To fix these attacks, apply context-dependent output encoding.

30. What is a DDoS attack and how does it work?

DDoS (Distributed Denial of Service) attack is a type of DoS attack, where several compromised systems are
often infected with a trojan and are used to target a single system causing a DoS (Denial of Service) attack.

Here is how DDoS work:

It is an attempt to make a webpage or online service inaccessible by overloading it with huge floods of traffic
from various sources.

31. What are the types of DDoS attacks?

DDoS attacks are categorized into three types:

Volume-based Attacks:

These are also known as Layer3 & 4 attacks. In this, the attacker tries to saturate the bandwidth of the target
site.

Protocol Attacks:

These attacks include actual server resources and others like load balancers and firewalls, and they are
measured in Packets per Second.

Application Layer Attacks:

It includes the zero-day DDoS attacks, Slowloris, etc., that attack the Windows, Apache, or OpenBSD
vulnerabilities and more. This is measured in Requests per Second.

32. What is a Pharming attack and how to prevent it?

Pharming attack is one of the various cyber-attacks practiced by the attackers. It is a fraudulent practice in
which legitimate website traffic is manipulated to direct users to the fake look-alikes that will steal personal
data such as passwords or financial details or install malicious software on the visitor's computer.

Pharming attacks can be prevented by the following methods:

Install the power antivirus software that will detect and remove the malware that is directed to the malicious
sites on your computer.

11
Check the URLs on the sites that you visit are trustworthy.

33. What is a phishing attack?

Phishing is an attempt to steal sensitive information such as user data, credit card numbers, etc. These
attacks occur mostly while using personal email accounts or social networking sites, online transactions, and
more.

34. What is Spoofing?

Spoofing is a fraudulent practice in which communication is sent from an unauthorized source and disguised
as a known source to the receiver. It is used to gain access to targets' personal information and spread
malware and redistribute traffic to execute a denial-of-service attack.

The below listed are the most popular spoofing attacks:

• Email spoofing

• Website spoofing

• Caller ID spoofing

• ARP spoofing

• DNS server spoofing

Here’s an explanation of each type of spoofing:

1. Email Spoofing

• Definition: The forgery of an email header to make it appear as though the email originated from a
trusted source.

• How It Works: Attackers modify the "From" field in an email to impersonate a legitimate sender. This is
often used in phishing attacks to trick recipients into sharing sensitive information or downloading
malware.

• Example: An attacker sends an email pretending to be from a trusted bank, asking the recipient to
click a malicious link to "verify their account."

2. Website Spoofing

• Definition: The creation of a fraudulent website that mimics a legitimate one to trick users into
providing personal or financial information.

• How It Works: Attackers create a fake version of a legitimate website (e.g., a bank or social media
platform) to steal users' credentials or other sensitive data. The URL may look very similar to the
legitimate one (e.g., replacing 'o' with '0').

• Example: A user is redirected to a fake website that looks like PayPal, where they are asked to enter
their login credentials, which are then stolen.

3. Caller ID Spoofing

• Definition: The practice of falsifying the caller ID displayed on the recipient's phone to make it appear
as though the call is coming from a trusted or familiar source.

• How It Works: Attackers can use specialized software or services to change the caller ID information.
This is often used in phishing or social engineering scams to trick people into revealing sensitive
information.

12
 • Example: A call appears to come from the recipient’s bank, but it's actually a scammer trying to steal
their personal details.

4. ARP Spoofing (Address Resolution Protocol Spoofing)

• Definition: A technique in which an attacker sends falsified ARP messages to a local network to
associate their MAC address with the IP address of another device.

• How It Works: The attacker intercepts traffic intended for another device by convincing the network
that their device has the same IP address as the target. This can lead to man-in-the-middle attacks,
allowing the attacker to capture sensitive data like passwords.

• Example: An attacker on the same network intercepts traffic between a user and a router by falsely
linking their MAC address to the router’s IP address.

5. DNS Server Spoofing (DNS Cache Poisoning)

• Definition: The corruption of DNS records to redirect traffic from a legitimate website to a fraudulent
one.

• How It Works: Attackers insert malicious DNS entries into a DNS server’s cache. When a user tries to
visit a specific website, they are directed to a malicious website instead, where attackers may steal
credentials or infect the user’s system with malware.

• Example: A user types in "example.com" in their browser, but due to DNS spoofing, they are taken to a
fake website that looks like the real one, and their login details are stolen.

Each of these spoofing methods is a form of deception used by attackers to manipulate data and gain
unauthorized access to sensitive information or systems. They are commonly used in phishing and man-in-
the-middle attacks.

35. What are the different types of penetration testing?

There are five types of penetration testing:

1. Black Box: In this, the hacker attempts to detect information by their own means.

2. External Penetration Testing: In this case, the ethical hacker attempts to hack using public networks
through the Internet.

3. Internal Penetration Testing: The ethical hacker is inside the network of the company and conducts
his tests from there.

4. White Box: In this, an ethical hacker is provided with all the necessary information about the
infrastructure and the network of the organization that needs to penetrate.

5. Grey Box: It this, the hacker has partial knowledge of the infrastructure, like its domain name server.

Visit here to learn Ethical Hacking Training in Bangalore

36. What are the types of password cracking techniques?

The most popular password cracking techniques used by hackers are listed below:

1. Dictionary attack: This attack uses the common kind of words and short passwords that many people
use. The hacker uses a simple file containing words that can be found in the dictionary and tries them
frequently with numbers before or after the words against the user accounts.

13
 2. Brute force attacks: These are similar to dictionary attacks, but instead of using simple words,
hackers detect the non-dictionary words by using all possible alphanumeric combinations from aaa1
to zzz10.

3. Man in the middle attack: In this, the attacker's program actively monitors the information being
passed and inserts itself in the middle of the interaction usually by impersonating an application or
website. These attacks steal sensitive information such as social security numbers, account numbers,
etc.

4. Traffic interception: In this, the hacker uses packet sniffers to monitor network traffic and capture
passwords.

5. Keylogger attack: The hacker manages to install software to track the user's keystrokes and enable
them not only to collect the user's account information and passwords but also to check which
website or app the user was logging into the credentials.

37. What is a social engineering attack?

Social engineering is referred to like a broad range of methods majorly intended by the people who want to
hack other people’s data or make them do a specific task to benefit the hacker.

The attacker first collects the victim’s information like security protocols required to proceed with the attack,
and gains the victim's trust, and breaks security practices, such as granting access to critical resources or
stealing sensitive information.

38. What are the different types of social engineering attacks?

Different types of social engineering attacks include:

• Phishing

• Vishing

• Pretexting

• Quid pro quo

• Tailgating

• Spear phishing

• Baiting

39. What is a rogue DHCP server?

A rogue DHCP server is a DHCP server set up on a network by an attacker which is not under the control of
network administrators. It can be either a modem or a router.

Rogue DHCP servers are primarily used by hackers for the purpose of network attacks such as Sniffing,
Reconnaissance, and Man in the Middle attacks.

40. What is Burp Suite?

Burp Suite is an integrated platform used for executing a security test of web applications. It consists of
various tools that work seamlessly together to manage the entire testing process from initial mapping to
security vulnerabilities.
14
In case you have attended any ethical hacking interview in the recent past and unable to find out the best
answers for it, do mention those interview questions in the comments section below and we’ll answer them
ASAP.

41.Types of Network Firewall

Network Firewalls are the devices that are used to prevent private networks from unauthorized access. A
Firewall is a security solution for the computers or devices that are connected to a network, they can be either
in the form of hardware as well as in form of software. It monitors and controls the incoming and outgoing
traffic (the amount of data moving across a computer network at any given time ).

The major purpose of the network firewall is to protect an inner network by separating it from the outer
network. An inner Network can be simply called a network created inside an organization and a network that is
not in the range of an inner network can be considered an Outer Network.

Types of Network Firewalls

Packet Filters

It is a technique used to control network access by monitoring outgoing and incoming packets and allowing
them to pass or halt based on the source and destination Internet Protocol (IP) addresses, protocols, and
ports. This firewall is also known as a static firewall.

15
Packet Filter Firwall

Stateful Inspection Firewalls

It is also a type of packet filtering that is used to control how data packets move through a firewall. It is also
called dynamic packet filtering. These firewalls can inspect that if the packet belongs to a particular session or
not. It only permits communication if and only if, the session is perfectly established between two endpoints
else it will block the communication.

Stateful Inspection Firewalls

Application Layer Firewalls

These firewalls can examine application layer (of OSI model) information like an HTTP request. If finds some
suspicious application that can be responsible for harming our network or that is not safe for our network then
it gets blocked right away.

Next-generation Firewalls

These firewalls are called intelligent firewalls. These firewalls can perform all the tasks that are performed by
the other types of firewalls that we learned previously but on top of that, it includes additional features like
application awareness and control, integrated intrusion prevention, and cloud-delivered threat intelligence.
16
 Next-generation Firewalls

Circuit-level Gateways

A circuit-level gateway is a firewall that provides User Datagram Protocol (UDP) and Transmission Control
Protocol (TCP) connection security and works between an Open Systems Interconnection (OSI) network
model’s transport and application layers such as the session layer.

Circuit-level Gateways

Software Firewall

The software firewall is a type of computer software that runs on our computers. It protects our system from
any external attacks such as unauthorized access, malicious attacks, etc. by notifying us about the danger
that can occur if we open a particular mail or if we try to open a website that is not secure.

17
 Software Firewall

Hardware Firewall

A hardware firewall is a physical appliance that is deployed to enforce a network boundary. All network links
crossing this boundary pass-through this firewall, which enables it to perform an inspection of both inbound
and outbound network traffic and enforce access controls and other security policies.

Hardware Firewall

Cloud Firewall

These are software-based, cloud-deployed network devices. This cloud-based firewall protects a private
network from any unwanted access. Unlike traditional firewalls, a cloud firewall filters data at the cloud level.

Hardware Firewall vs Software Firewall

A hardware firewall is a separate physical device placed between a network and its connected devices. It
monitors and controls incoming and outgoing network traffic based on set security rules. Setting up a
hardware firewall requires skilled personnel for proper installation and ongoing management.

In contrast, a software firewall runs on a server or virtual machine. It operates on a security-focused operating
system, typically using standard hardware resources. Software firewalls can often be quickly implemented
using cloud automation tools.

18
Both hardware and software firewalls are crucial for network security. The choice between them depends on
specific needs and deployment contexts.

Working of Firewalls

Firewalls can control and monitor the amount of incoming or outgoing traffic of our network. The data that
comes to our network is in the forms of packets(a small unit of data), it is tough to identify whether the packet
is safe for our network or not, this gives a great chance to the hackers and intruders to bombard our networks
with various viruses, malware, spam, etc.

Capabilities of Modern Firewalls

Since they were first created, firewalls have been a key part of network security. As technology has advanced,
so have the capabilities and methods of deploying firewalls.

With these advancements, many different types of firewalls have emerged, making the options sometimes
confusing. Different firewalls serve different purposes, and one way to differentiate them is by looking at what
they protect, their form, where they are placed in the network, and how they filter data.

Organizations might need various types of firewalls to ensure effective network security. It’s also important to
remember that a single firewall product can include multiple types of firewall functions.

How to Prevent Network?

A network firewall applies a certain set of rules on the incoming and outgoing network traffic to examine
whether they align with those rules or not.

• If it matches then the traffic will be allowed to pass through your network.

• If it doesn’t match– then the firewall will block the traffic.

This way, the network remains safe and secure.

Which Firewall Architecture is best?

There is no as such best firewall architecture. The choice of firewall architecture for any network depends
upon its use cases, requirements, budgets etc. In our network if we are having threat at Application layer then
Application layer firewall can be best. If we are having threat at session layer then circuit level gateways can be
best.

Advantages

• Monitors Network Traffic : A network firewall monitors and analyzes traffic by inspecting whether the
traffic or packets passing through our network is safe for our network or not. By doing so, it keeps our
network away from any malicious content that can harm our network.

• Halt Hacking: In a society where everyone is connected to technology, it becomes more important to
keep firewalls in our network and use the internet safely.

• Stops Viruses : Viruses can come from anywhere, such as from an insecure website, from a spam
message, or any threat, so it becomes more important to have a strong defense system (i.e. firewall in
this case), a virus attack can easily shut off a whole network. In such a situation, a firewall plays a vital
role.

• Better Security: If it is about monitoring and analyzing the network from time to time and establishing
a malware-free, virus-free, spam-free environment so network firewall will provide better security to
our network.

• Increase Privacy: By protecting the network and providing better security, we get a network that can
be trusted.
19
Disadvantages

• Cost: Depending on the type of firewall, it can be costly, usually, the hardware firewalls are more
costly than the software ones.

• Restricts User: Restricting users can be a disadvantage for large organizations, because of its tough
security mechanism. A firewall can restrict the employees to do a certain operation even though it’s a
necessary operation.

• Issues With The Speed of The Network: Since the firewalls have to monitor every packet passing
through the network, this can slow down operations needed to be performed, or it can simply lead to
slowing down the network.

• Maintenance: Firewalls require continuous updates and maintenance with every change in the
networking technology. As the development of new viruses is increasing continuously that can
damage your system.

Conclusion

In conclusion, network firewalls are essential tools that protect our computers and networks from unwanted
access and cyber threats. There are different types of firewalls, each type of firewall serves a different purpose
and offers varying levels of protection. Choosing the right firewall depends on the specific needs and security
requirements of your network.

42.What is SIEM?

SIEM (Security Information and Event Management) is a set of tools and services that provide an overview of
an organization's information security by combining two functions:

1. Security Information Management (SIM): The collection, analysis, and reporting of log data.

2. Security Event Management (SEM): The real-time monitoring, correlation, and alerting of security
events.

Key Functions of SIEM:

1. Data Aggregation: SIEM collects data from various sources like firewalls, servers, databases,
applications, and other security systems across the network.

2. Log Management: Centralizes and stores logs for long-term analysis. This allows for easier
investigation of past security events.

3. Real-Time Monitoring: SIEM continuously monitors network activity and security events in real-time
to detect anomalies or potential threats.

4. Event Correlation: Correlates logs and data from different sources to identify patterns or indicators of
compromise (IoCs) that might signal a security incident.

5. Alerting and Notification: When a threat or suspicious activity is detected, SIEM generates alerts to
notify security teams.

6. Threat Intelligence Integration: Some SIEMs can integrate with external threat intelligence feeds to
improve detection of known threats.

7. Incident Response: Provides the necessary information to investigate and respond to incidents more
effectively, including automating certain response actions.

20
 8. Reporting and Compliance: Helps generate reports for regulatory compliance standards (like GDPR,
HIPAA, PCI-DSS) and internal audits.

Benefits of SIEM:

• Enhanced Security Visibility: Offers a comprehensive view of the security posture of an organization.

• Faster Incident Detection: Speeds up the detection of security incidents through correlation and real-
time monitoring.

• Improved Threat Detection: By analyzing data from various sources, SIEMs can identify threats that
might be missed by individual systems.

• Compliance Support: Helps organizations meet regulatory requirements by providing necessary logs
and reports.

Common SIEM Tools:

• Splunk

• IBM QRadar

• ArcSight

• SolarWinds

• Microsoft Sentinel

SIEMs are central to modern cybersecurity operations, enabling Security Operations Centers (SOCs) to
efficiently detect, analyze, and respond to security incidents.

43.what is phishing email analysis ?

Phishing email analysis is the process of examining and investigating suspicious emails to identify whether
they are part of a phishing attack. Phishing attacks are designed to trick recipients into revealing sensitive
information, such as usernames, passwords, or financial details, or to deliver malicious payloads like
malware or ransomware. Phishing email analysis is critical for detecting such threats and preventing security
breaches.

Key Steps in Phishing Email Analysis:

1. Email Header Analysis:

o Sender’s Email Address: Check if the sender’s address is legitimate or if it's a spoofed/fake
address. Look for slight variations in domain names (e.g., "micros0ft.com" instead of
"microsoft.com").

o Return Path: Compare the return path email address with the sender's email to detect
discrepancies.

o IP Address: Trace the sender's IP address to determine if it originates from an unexpected or

suspicious location.

o Received Fields: Check the chain of servers the email passed through, which can indicate
unusual or foreign sources.

o Message-ID: Ensure that the Message-ID aligns with the domain from which the email claims
to originate.

2. Content Analysis:
21
 o Suspicious Links: Inspect URLs within the email to see if they lead to malicious or fake
websites. Hover over links (without clicking) to verify if the link matches what is displayed.

o Attachments: Analyze any attachments, as they could contain malware or malicious scripts.

o Urgency or Threats: Many phishing emails create a sense of urgency (e.g., "Your account will
be deactivated!") to pressure the recipient into acting without thinking.

o Grammatical Errors: Phishing emails often contain grammatical errors or awkward language,
which can be a red flag.

3. Inspecting the Body of the Email:

o Personalization: Phishing emails often lack proper personalization (e.g., using "Dear
customer" instead of the recipient’s actual name).

o Requests for Sensitive Information: Legitimate companies typically do not ask for sensitive
information (like passwords or payment details) via email.

o Unusual Requests or Instructions: Look out for any unexpected instructions, such as
downloading a file or clicking on a link to "verify" or "update" an account.

4. Analyzing Embedded URLs:

o URL Shorteners: Be cautious if the email uses URL shorteners (e.g., bit.ly) to disguise the
destination.

o Checking for Phishing Domains: Use tools like VirusTotal, PhishTank, or online URL scanners
to analyze URLs and detect phishing sites.

o Domain Lookalikes: Check if the domain used in the URL is similar but slightly altered (e.g.,
"goog1e.com" instead of "google.com").

5. Attachment Analysis:

o File Type: Phishing emails often include harmful attachments like ZIP files, Word documents
with malicious macros, PDFs with hidden malware, or executable files.

o Sandboxing: Run suspicious attachments in a sandboxed environment to observe any

malicious activity without risking harm to your system.

o Malware Detection: Use antivirus or malware analysis tools to scan the attachment for known
malicious signatures.

6. Email Behavior Analysis:

o User Reports: If other users have flagged the email as phishing, this can provide evidence of
its malicious intent.

o Campaign Characteristics: Many phishing attacks are part of broader campaigns. Look for
similar emails that target multiple users within an organization or globally.

7. Indicators of Compromise (IoCs):

o Analyze whether the email contains known Indicators of Compromise (such as IP addresses,
domain names, or malware signatures) associated with previous phishing attacks.

o Compare with external threat intelligence feeds to detect any patterns or known attack
vectors.

Tools for Phishing Email Analysis:

22
 • VirusTotal: To scan email attachments and URLs for known malicious content.

• PhishTank: A community-based tool to identify and track phishing websites.

• Sandboxes (e.g., Cuckoo Sandbox): For running suspicious attachments or links in an isolated
environment to observe malicious behavior.

• SIEM Tools: Security Information and Event Management tools like Splunk or QRadar can help
correlate phishing attempts across the organization.

Goals of Phishing Email Analysis:

• Prevent Data Theft: Stop users from unknowingly providing personal information (like login
credentials) to attackers.

• Detect Malware: Identify malicious attachments or links designed to deliver malware.

• Educate Users: Help organizations improve awareness among employees, so they can recognize
phishing attempts.

• Incident Response: Provide security teams with the necessary information to block further phishing
attacks and prevent escalation.

Phishing email analysis is essential in cybersecurity to protect users from falling victim to social engineering
attacks and minimize the risk of a successful breach.

44.What is a Port?

• Definition: A port is a logical construct that allows different types of network communication to be
handled separately by the same device. It essentially acts as an endpoint for communication.

• Purpose: Ports help direct incoming and outgoing network traffic to the appropriate application or
service running on a device. Without ports, data packets would not have a clear destination beyond
the IP address.

What is a Port Number?

• Definition: A port number is a 16-bit integer (ranging from 0 to 65,535) used to identify a specific
process or service on a device.

• Purpose: It allows the operating system to differentiate between various services running on the same
IP address. For example, HTTP traffic uses port 80, while HTTPS uses port 443.

How Ports Make Network Connections More Efficient:

• Segregation: By using different ports, multiple applications can use the same network connection
without interference. For example, web browsing, email, and file transfers can occur simultaneously
without conflict.

• Routing: Ports direct the traffic to the correct application or service on the receiving device, ensuring
that data is handled appropriately.

Ports and the OSI Model:

• Transport Layer: Ports operate at the Transport Layer (Layer 4) of the OSI model. Protocols like TCP
and UDP use port numbers to manage data transmission between devices.

• Network Layer: At the Network Layer (Layer 3), the IP address directs data to the correct device, but
ports are used at the Transport Layer to deliver the data to the correct application or service.

23
Firewalls and Port Blocking:

• Purpose of Blocking: Firewalls block ports to protect against unauthorized access and potential
attacks. Many ports, if left open, could be exploited by attackers to gain access to or disrupt network
services.

• Configuration: Firewalls are typically configured to allow traffic only through essential ports and block
all others by default, reducing the risk of attacks.

internet Assigned Numbers Authority (IANA):

• Role: The IANA maintains the global list of port numbers and their associated services. They ensure
that port numbers are uniquely assigned to avoid conflicts.

This organized approach to network communication ensures that data is efficiently routed to the correct
destination and handled by the appropriate application or service.

Common Port Numbers

Here’s a list of 25 commonly used port numbers and their associated services:

1. Port 20: FTP Data - Used for transferring files in FTP (File Transfer Protocol).

2. Port 21: FTP Control - Used for command and control in FTP.

3. Port 22: SSH - Secure Shell for secure remote administration and file transfers.

4. Port 23: Telnet - Provides a text-based terminal interface for remote login.

5. Port 25: SMTP - Simple Mail Transfer Protocol for sending emails.

6. Port 53: DNS - Domain Name System for translating domain names to IP addresses.

7. Port 67: DHCP Server - Dynamic Host Configuration Protocol for assigning IP addresses to devices.

8. Port 68: DHCP Client - Used by clients to receive IP addresses from a DHCP server.

9. Port 69: TFTP - Trivial File Transfer Protocol for simple file transfers.

10. Port 80: HTTP - Hypertext Transfer Protocol for web traffic.

11. Port 110: POP3 - Post Office Protocol version 3 for retrieving emails from a server.

12. Port 143: IMAP - Internet Message Access Protocol for accessing emails on a server.

13. Port 161: SNMP - Simple Network Management Protocol for network management.

14. Port 162: SNMP Trap - Used for sending notifications or alerts from an SNMP-enabled device.

15. Port 194: IRC - Internet Relay Chat for real-time text-based communication.

16. Port 443: HTTPS - HTTP Secure for encrypted web traffic.

17. Port 445: SMB - Server Message Block for file sharing and network communication.

18. Port 465: SMTPS - SMTP Secure for sending emails over SSL/TLS.

19. Port 514: Syslog - Used for logging messages from network devices.

20. Port 5432: PostgreSQL - Database server port for PostgreSQL.

21. Port 587: SMTP Secure (Submission) - Secure SMTP for submitting emails.

24
 22. Port 631: IPP - Internet Printing Protocol for network printing.

23. Port 3389: RDP - Remote Desktop Protocol for remote desktop connections.

24. Port 5432: PostgreSQL - Database server port for PostgreSQL.

25. Port 6379: Redis - Database server port for Redis.

These ports are associated with various network services and applications, each serving specific functions in
the network and internet infrastructure.

45. what is a 3-way handshake?

The three-way handshake is a process used in TCP (Transmission Control Protocol) to establish a reliable
connection between a client and a server. This process ensures that both parties are ready for data
transmission and agree on the initial sequence numbers. Here’s a detailed explanation of each step:

Steps of the Three-Way Handshake

1. SYN (Synchronize)

o Initiation: The client initiates the connection by sending a TCP segment with the SYN
(synchronize) flag set to 1. This segment contains a randomly generated sequence number,
which will be used for the communication session.

o Purpose: The SYN segment indicates that the client wants to establish a connection with the
server.

2. SYN-ACK (Synchronize-Acknowledge)

o Acknowledgment: Upon receiving the SYN segment, the server responds with a TCP segment
that has both the SYN and ACK (acknowledgment) flags set to 1. This segment contains an
acknowledgment number, which is the client’s sequence number plus 1, and a randomly
generated sequence number for the server.

o Purpose: The SYN-ACK segment acknowledges the receipt of the client’s SYN segment and
includes the server's own sequence number to establish the communication channel.

3. ACK (Acknowledge)

o Finalization: The client responds to the server’s SYN-ACK segment with a final TCP segment
that has the ACK flag set to 1. This segment acknowledges the receipt of the server’s SYN-ACK
segment and contains the server’s sequence number plus 1 as the acknowledgment number.

o Purpose: This final ACK segment confirms that the client has received the server’s SYN-ACK
segment, completing the handshake process.

Diagram of the Three-Way Handshake

25
 TCP - IT위 by Unknown Author is licensed under CC BY-SA-NC

Purpose of the Three-Way Handshake

• Synchronization: It synchronizes sequence numbers between the client and server, ensuring that
both sides have a clear understanding of the sequence and acknowledgment numbers.

• Connection Establishment: It establishes a reliable connection, confirming that both parties are
ready to communicate.

• Avoids Ambiguity: Ensures that both the client and server are synchronized and agree on the initial
sequence numbers, avoiding confusion or data loss.

Benefits

• Reliability: Guarantees that both sides are ready and can start exchanging data.

• Error Checking: Allows for the detection of lost or out-of-order segments during the connection setup.

• Session Management: Ensures that the connection setup process is properly completed before data
transmission begins.

The three-way handshake is a fundamental part of TCP’s reliability and is essential for establishing a stable
and error-free communication channel between two devices on a network.

46. what is a cyber kill chain?

The Cyber Kill Chain is a model developed by Lockheed Martin that outlines the stages of a cyber attack from
initial reconnaissance to the ultimate objective. It is used to help organizations understand, detect, and
respond to various phases of a cyber attack, enabling more effective defense strategies. The model breaks
down an attack into distinct phases, providing a framework for identifying and mitigating threats at each stage.

Stages of the Cyber Kill Chain

26
 1. Reconnaissance

o Description: The attacker gathers information about the target organization to identify
potential vulnerabilities. This can include scanning public websites, social media, or other
sources to collect details on systems, personnel, and network architecture.

o Objective: To collect enough information to plan an effective attack.

2. Weaponization

o Description: The attacker creates or acquires a weapon, such as malware, exploit kits, or
other tools, tailored to exploit the identified vulnerabilities. This often involves crafting an
exploit that will be delivered to the target.

o Objective: To develop a specific tool or payload that can exploit the identified weaknesses.

3. Delivery

o Description: The attacker delivers the weapon to the target. This can be done via various
methods, such as email attachments, malicious links, or direct network exploitation.

o Objective: To get the weapon onto the target system or network.

4. Exploitation

o Description: The weapon is executed on the target system to exploit a vulnerability. This step
involves running the exploit code to gain unauthorized access or execute malicious actions.

o Objective: To breach the target system or application.

5. Installation

o Description: Once the exploit is successful, the attacker installs additional tools or malware
to maintain access. This could involve installing backdoors, rootkits, or other persistent
malware.

o Objective: To establish a foothold within the target environment for future activities.

6. Command and Control (C2)

o Description: The attacker establishes communication channels with the compromised

system to issue commands, exfiltrate data, or control the system remotely. This can involve
using covert channels or encrypted communications.

o Objective: To control the compromised system and execute further actions.

7. Actions on Objectives

o Description: The attacker executes their final objectives, which could include stealing data,
disrupting operations, or causing other damage. This is the culmination of the attack and
involves achieving the attacker’s goals.

o Objective: To achieve the ultimate aim of the attack, whether it's data theft, system disruption,
or other malicious goals.

Application of the Cyber Kill Chain

• Detection and Prevention: By understanding each stage of the kill chain, organizations can develop
targeted defense mechanisms to detect and interrupt attacks early in the process. For example, strong

27
 security measures during reconnaissance can make it more difficult for attackers to gather useful
information.

• Incident Response: The kill chain model helps security teams understand the progression of an
attack, enabling them to respond more effectively by addressing specific phases. For instance, if an
attacker is detected during the exploitation phase, efforts can be focused on stopping further
exploitation and mitigating damage.

• Threat Intelligence: The model aids in identifying and analyzing tactics, techniques, and procedures
(TTPs) used by attackers, improving the ability to recognize and defend against similar attacks in the
future.

Advantages

• Structured Approach: Provides a clear and organized framework for understanding the stages of an
attack.

• Improved Defense: Helps in creating targeted defenses and responses for each stage of the attack.

• Enhanced Visibility: Increases visibility into attack patterns and enables better preparation for future
threats.

Overall, the Cyber Kill Chain provides valuable insights into the lifecycle of a cyber attack, allowing
organizations to enhance their security posture by focusing on preventing, detecting, and responding to each
phase of the attack.

47. What is a Mitre attack framework?

The MITRE ATT&CK Framework (Adversarial Tactics, Techniques, and Common Knowledge) is a
comprehensive knowledge base used to understand and defend against cyber threats. It is developed and
maintained by MITRE, a not-for-profit organization that operates Federally Funded Research and Development
Centers (FFRDCs). The framework provides a detailed view of the tactics, techniques, and procedures (TTPs)
that adversaries use during various stages of an attack.

Components of the MITRE ATT&CK Framework

1. Tactics

o Definition: Tactics represent the overarching goals or objectives that adversaries aim to
achieve during an attack. They are the high-level strategies or stages in the attack lifecycle.

o Examples: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion,

Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Impact.

2. Techniques

o Definition: Techniques are the specific methods or actions adversaries use to achieve the
goals represented by the tactics. Each tactic can have multiple techniques.

o Examples: For the tactic "Initial Access," techniques might include Phishing, Exploitation of
Public-Facing Applications, or Drive-by Compromise.

3. Sub-techniques

o Definition: Sub-techniques provide more detailed descriptions of how a particular technique

can be executed. They represent variations or specific implementations of a technique.

28
 o Examples: Under the technique "Phishing," sub-techniques might include Spear Phishing
Attachment, Spear Phishing Link, or Spear Phishing via Service.

4. Procedures

o Definition: Procedures are real-world examples or instances of how adversaries implement

techniques in practice. They provide context and practical examples of how specific
techniques are used.

o Examples: Specific malware families or attack tools that utilize a particular technique.

5. Mitigations

o Definition: Mitigations are defensive measures and best practices that organizations can
employ to prevent or detect the use of techniques by adversaries.

o Examples: Multi-Factor Authentication (MFA), endpoint protection solutions, network

segmentation.

6. Detection

o Definition: Detection methods are strategies or mechanisms for identifying the use of
techniques and tactics. They include logging, monitoring, and analysis to recognize malicious
activities.

o Examples: Analyzing log files, monitoring network traffic, employing behavioral analytics.

Structure of the MITRE ATT&CK Matrix

The ATT&CK Matrix is divided into different matrices based on the environment or context:

• Enterprise: Covers techniques used against enterprise environments (Windows, macOS, Linux).

• Mobile: Addresses techniques relevant to mobile devices (iOS, Android).

• Cloud: Focuses on techniques relevant to cloud environments (AWS, Azure, Google Cloud).

• Industrial Control Systems (ICS): Specific to ICS environments and industrial control systems.

How to Use the MITRE ATT&CK Framework

1. Threat Modeling: Organizations use the framework to understand potential threats and adversarial
tactics that could target their systems.

2. Incident Response: Helps in identifying and responding to incidents by mapping observed activities
to known techniques and tactics.

3. Threat Intelligence: Provides context for threat intelligence by associating specific techniques and
procedures with known threat actors.

4. Defense Strategy: Assists in developing defense mechanisms by implementing mitigations and

detection strategies for techniques used by adversaries.

5. Red Teaming: Useful for red teams to simulate adversarial behavior and test the effectiveness of an
organization’s defenses.

Benefits of the MITRE ATT&CK Framework

• Comprehensive: Provides a detailed and structured view of adversarial tactics and techniques.

• Evolving: Continuously updated with new techniques and procedures based on real-world
observations.

29
 • Standardized: Offers a common language and framework for discussing and analyzing cyber threats.

• Practical: Provides actionable insights for improving security posture, detection, and response
capabilities.

Overall, the MITRE ATT&CK Framework is a valuable tool for understanding, defending against, and responding
to cyber threats. It helps organizations to anticipate adversarial tactics, implement effective security
measures, and enhance their overall cybersecurity strategy.

name of the tactic and number of tactic and technique

The MITRE ATT&CK Framework is structured around various tactics, each encompassing multiple techniques.
As of the latest update, here is an overview of the tactics and the number of techniques associated with each:

Tactics and Techniques

1. Initial Access (13 techniques)

o Techniques used to gain entry into a network or system.

2. Execution (20 techniques)

o Techniques for executing malicious code on a system.

3. Persistence (13 techniques)

o Techniques to maintain access to a system or network over time.

4. Privilege Escalation (16 techniques)

o Techniques for gaining higher-level privileges on a system.

5. Defense Evasion (17 techniques)

o Techniques to avoid detection and circumvent defenses.

6. Credential Access (17 techniques)

o Techniques for stealing or accessing credentials.

7. Discovery (18 techniques)

o Techniques used to gather information about a system or network.

8. Lateral Movement (14 techniques)

o Techniques for moving within a network after initial access.

9. Collection (12 techniques)

o Techniques for gathering and collecting data from a network or system.

10. Exfiltration (10 techniques)

o Techniques for transferring data out of a network or system.

11. Impact (16 techniques)

o Techniques used to disrupt or manipulate systems and data.

Summary

• Total Number of Tactics: 11

• Total Number of Techniques: 154

30
Note that the number of techniques can vary as the framework is regularly updated with new tactics and
techniques based on emerging threats and real-world observations. For the most current information, refer to
the MITRE ATT&CK official website.

48.what is a CIA triad?

[정보보안기사] 정보보호관리의 개념 by
Unknown Author is licensed under CC BY-NC-ND

The CIA Triad is a fundamental concept in cybersecurity, representing the three core principles of information
security:

1. Confidentiality

• Definition: Ensures that information is only accessible to those who are authorized to view it. This
principle aims to protect sensitive data from unauthorized access or disclosure.

• Methods:

o Encryption: Converts data into a coded format that can only be read by authorized users.

o Access Controls: Implements user authentication and authorization measures to restrict

access.

o Data Classification: Categorizes data based on its sensitivity and applies appropriate security
measures.

2. Integrity

• Definition: Ensures that information remains accurate, consistent, and unaltered during storage,
transmission, and processing. Integrity aims to prevent unauthorized modification or tampering of
data.

31
 • Methods:

o Hashing: Uses algorithms to generate a unique hash value for data, which can be verified to
detect changes.

o Checksums: Verifies data integrity by comparing calculated values before and after
transmission.

o Digital Signatures: Provides a means to verify the authenticity and integrity of digital
messages or documents.

3. Availability

• Definition: Ensures that information and resources are accessible to authorized users when needed.
Availability focuses on preventing disruptions and ensuring reliable access to data and services.

• Methods:

o Redundancy: Implements backup systems, failover mechanisms, and clustering to ensure

continuous access.

o Disaster Recovery: Develops plans and procedures for recovering data and services in the
event of a failure or disaster.

o Load Balancing: Distributes network traffic and workloads to prevent overloads and maintain
performance.

Importance of the CIA Triad

• Balanced Security: The CIA Triad provides a balanced approach to information security, ensuring that
data is protected from unauthorized access, remains accurate and unaltered, and is available when
needed.

• Risk Management: Helps organizations identify and address potential risks by focusing on these three
core principles.

• Security Policies: Guides the development of security policies, procedures, and controls to address
confidentiality, integrity, and availability concerns.

Practical Application

In practice, achieving the CIA Triad involves implementing various security measures and controls, such as:

• Confidentiality: Using strong encryption protocols, implementing access controls, and enforcing data
protection regulations.

• Integrity: Employing data validation techniques, using cryptographic hash functions, and ensuring
proper data backup procedures.

• Availability: Ensuring system redundancy, maintaining robust disaster recovery plans, and monitoring
system performance to prevent outages.

Overall, the CIA Triad is a foundational framework for understanding and addressing the core aspects of
information security, and it is integral to developing comprehensive security strategies and practices.

49. Types Of Windows Event Logs

Windows event logs are a detailed record of system, application, and security events on a Windows system.
These logs help in monitoring, troubleshooting, and maintaining the health and security of the system. The

32
logs are categorized into several types, each serving a different purpose. Here are the main types of Windows
event logs:

1. Application Logs

• Description: Records events generated by applications or programs running on the system.

Applications can log errors, warnings, and information relevant to their operation.

• Examples: Microsoft Office applications, SQL Server, or custom-built software logs.

• Common Events: Application crashes, initialization errors, or notifications of successful operations.

2. System Logs

• Description: Contains logs generated by Windows system components, such as drivers, services, and
the operating system itself.

• Examples: Events related to the boot process, service start/stop, hardware failures, or driver issues.

• Common Events: System reboots, hardware failures, driver errors, or service failures.

3. Security Logs

• Description: Logs security-related events such as login attempts, resource access, and policy
changes. The security log is often used for auditing and compliance purposes.

• Examples: Successful or failed logon attempts, file access, changes to user accounts, or group
policies.

• Common Events:

o 4624: Successful logon.

o 4625: Failed logon attempt.

o 4740: Account locked out.

o 4720: User account created.

o 4688: A new process has been created.

4. Setup Logs

• Description: Contains logs related to system setup, including installation events such as updates,
patches, or configuration changes.

• Examples: Operating system installation, updates, or configuration changes during setup.

• Common Events: Windows updates installation or system role changes.

5. Forwarded Events

• Description: Logs collected from other remote systems and forwarded to the local machine. This
allows centralized event log management, where a system can receive logs from multiple sources.

• Examples: Security logs forwarded from other systems to a centralized server for analysis.

• Common Use: In networked environments for centralized monitoring of multiple computers.

6. DNS Server Logs

• Description: Specific to Domain Name System (DNS) servers, these logs contain records related to
DNS queries, zone transfers, and DNS server operations.

33
 • Examples: DNS request failures, zone updates, or server errors.

• Common Events: DNS lookup failures, zone transfers, or query resolution errors.

7. Active Directory Logs

• Description: These logs are specific to Active Directory operations and include events related to
domain controllers, user authentication, and directory service changes.

• Examples: Logons, logoffs, account changes, group memberships.

• Common Events: User account creation, replication failures, or directory service errors.

8. Windows PowerShell Logs

• Description: Logs specific to Windows PowerShell activity, capturing script executions and command
usage.

• Examples: PowerShell commands executed, script errors, or administrative tasks performed via
PowerShell.

• Common Events: Script execution logs, error reports, or malicious script detection.

9. Key Management Service (KMS) Logs

• Description: Logs related to the activation of Windows licenses through KMS.

• Examples: Successful or failed Windows product activation events.

• Common Events: Activation errors or successful license activations.

10. Windows Defender Logs

• Description: Logs generated by the Windows Defender Antivirus software, which include events
related to malware detection, virus scans, and security updates.

• Examples: Malware detection, quarantined files, or antivirus scan results.

• Common Events: Virus detected, updates to virus definitions, or scan completion.

11. Application and Services Logs

• Description: A collection of logs for specific applications or services, allowing for more detailed and
granular logging than the standard application and system logs.

• Examples: Logs for specific services like Internet Explorer, Windows Backup, or other Windows
components.

• Common Events: Custom application events or service-related issues.

12. Hardware Events Logs

• Description: Contains events related to hardware issues such as hard drives, memory, or other
physical components.

• Examples: Disk failures, memory errors, or overheating warnings.

• Common Events: Hard drive failure alerts, memory errors, or hardware resource conflicts.

13. Audit Logs

• Description: Logs related to security auditing of file access, object access, and policy changes. These
are part of the advanced auditing features in Windows.

34
 • Examples: Access attempts to sensitive files, changes to audit policies, or modifications of system
files.

• Common Events: Access to a specific file, modification of critical system files, or group policy
changes.

Each of these event log types plays a critical role in monitoring the system’s health, security, and operations,
and they are vital for system administrators, security teams, and auditors.

50. windows event ids?

Windows Event IDs are unique codes assigned to specific events that occur within a Windows system. These
event IDs are used to track and identify system activities, security incidents, and potential issues. Here are
some of the important Windows Event IDs, especially relevant for security and auditing purposes:

1. Logon/Logoff Events

• 4624: Successful Logon

o This event is logged when a user successfully logs onto a system.

• 4625: Failed Logon

o This event is logged when a logon attempt fails, such as due to incorrect password entry.

• 4634: Logoff

o This event is logged when a user logs off from a session.

• 4647: User-initiated Logoff

o This event is recorded when a user manually logs off from a session.

• 4672: Special Logon

o Indicates when a user logs on with special privileges (e.g., administrative accounts).

2. Account Management Events

• 4720: User Account Created

o This event is logged when a new user account is created.

• 4722: User Account Enabled

o Logged when a previously disabled account is re-enabled.

• 4723: An Attempt Was Made to Change an Account's Password

o This event logs password change attempts, including both successful and failed attempts.

• 4724: An Attempt Was Made to Reset an Account's Password

o Indicates an account password was reset.

• 4725: User Account Disabled

o This event logs when a user account is disabled.

• 4726: User Account Deleted

o Logged when a user account is deleted.

35
3. Account Lockout Events

• 4740: Account Lockout

o This event is triggered when an account is locked due to multiple failed logon attempts.

4. Group Management Events

• 4732: A Member Was Added to a Security-Enabled Local Group

o This event is logged when a user is added to a security group.

• 4733: A Member Was Removed from a Security-Enabled Local Group

o Indicates when a user is removed from a security group.

5. Process Tracking Events

• 4688: A New Process Has Been Created

o Logged when a new process is initiated on the system. Useful for tracking malicious
processes.

• 4689: A Process Has Exited

o This event logs when a process is terminated.

6. Object Access Events

• 4663: An Attempt Was Made to Access an Object

o Logged when an object, such as a file or folder, is accessed (e.g., opened, modified, or
deleted).

• 4656: A Handle to an Object Was Requested

o Indicates an attempt to obtain a handle (reference) to an object.

7. Policy Change Events

• 4719: System Audit Policy Was Changed

o This event is logged when an audit policy is modified.

• 4739: Domain Policy Was Changed

o Logged when domain policies are altered.

• 4902: The Per-User Audit Policy Table Was Created

o Indicates changes to the audit policy on a per-user basis.

8. Network Events

• 4776: The Computer Attempted to Validate the Credentials for an Account

o Logged when a system attempts to validate credentials, often related to remote logins.

• 4627: Group Membership Enumerated

o Occurs when group memberships are queried.

9. Logon Types

36
Logon types indicate how the user logged in. Event ID 4624 (Successful Logon) and 4625 (Failed Logon) are
accompanied by a logon type number:

• 2: Interactive logon (user logged in directly to the machine).

• 3: Network logon (accessing a shared resource, such as a file share).

• 4: Batch logon (used for scheduled tasks).

• 5: Service logon (used when a service starts).

• 7: Unlock (logon after locking the system).

• 10: Remote Interactive logon (e.g., RDP).

• 11: Cached Interactive logon (e.g., logging on with cached credentials when offline).

10. Other Critical Security Events

• 4771: Kerberos Pre-authentication Failed

o This event logs when Kerberos pre-authentication fails, often due to incorrect credentials.

• 4769: A Kerberos Service Ticket Was Requested

o Indicates that a service ticket was requested, used for authentication.

• 4964: Special Groups Logon

o Logged when a member of a sensitive group logs onto a system.

Importance of Event IDs in Security

• Monitoring: Event IDs help system administrators and security professionals monitor key activities
and detect suspicious behavior, such as failed logins or the creation of unauthorized accounts.

• Auditing: Event IDs are essential for tracking changes and ensuring compliance with organizational
policies.

• Incident Response: Event logs provide crucial information for investigating security incidents like
intrusions or malware infections.

51. windows network and service?

Windows networks and services are critical components of the Windows operating system that manage
communication, resource sharing, and security across devices and users within a network. Here's an overview
of key aspects of Windows network and services:

1. Windows Networking

Windows supports both local area networks (LANs) and wide area networks (WANs), allowing devices to
communicate, share resources, and provide network services such as file sharing, printer access, and
internet connectivity. Key components of Windows networking include:

a. Workgroups and Domains

• Workgroup: A simple peer-to-peer network where all computers are considered equal. Common in
small networks without centralized management.

• Domain: A centralized network model where one or more servers (Domain Controllers) manage
network resources, security, and user accounts. Common in enterprise environments.
37
b. Network Protocols

• TCP/IP (Transmission Control Protocol/Internet Protocol): The most widely used protocol for
communication between devices in a network. It provides reliable, ordered, and error-checked delivery
of data.

• DNS (Domain Name System): Resolves human-readable domain names (like www.example.com) into
IP addresses.

• DHCP (Dynamic Host Configuration Protocol): Automatically assigns IP addresses to devices on a

network, simplifying IP management.

• SMB (Server Message Block): A protocol used for sharing files, printers, and other network resources
between Windows machines.

c. Remote Access and VPNs

• RDP (Remote Desktop Protocol): Enables users to remotely connect to another Windows computer
over a network. Used for remote administration or remote work.

• VPN (Virtual Private Network): Allows secure remote access to a private network over the internet by
encrypting the connection.

d. File and Printer Sharing

• Shared Folders: Users can share files across the network. Permissions are configured to control who
can access or modify shared files.

• Printer Sharing: Allows a single printer to be shared across multiple devices in the network.

e. Windows Network Services

• Active Directory (AD): A centralized directory service that stores information about users, computers,
and other resources on a network. It helps administrators manage permissions, policies, and access.

• Group Policy: Allows centralized management of security settings and configurations for users and
computers in an Active Directory environment.

2. Windows Services

Windows services are background processes that perform specific functions and are essential for running
network applications and managing system resources. These services can start automatically when the
system boots or manually by the user. Below are some key Windows services related to networking and
security:

a. Networking Services

• DHCP Client: Manages the automatic assignment of IP addresses to devices using the DHCP
protocol.

• DNS Client: Resolves domain names to IP addresses to enable communication with remote servers.

• Windows Time (W32Time): Synchronizes the system clock with a network time server. Time
synchronization is crucial for authentication protocols like Kerberos.

• Routing and Remote Access (RRAS): Provides VPN services, NAT, and routing for Windows servers,
allowing users to connect to the network remotely.

• WLAN AutoConfig: Manages wireless connections, including detecting and connecting to available
Wi-Fi networks.

38
b. Security and Authentication Services

• Active Directory Domain Services (AD DS): Centralized service for managing users, computers, and
network resources in a domain.

• Kerberos Key Distribution Center (KDC): A core component of the Kerberos protocol used for secure
authentication within a domain.

• Windows Defender Firewall: A built-in firewall that helps to protect the system by filtering inbound
and outbound traffic based on predefined security rules.

• Network Policy Server (NPS): Used to enforce security policies for users connecting to the network
via VPN or Wi-Fi.

c. Remote and Access Control Services

• Remote Desktop Services (RDS): Enables remote access to a virtual desktop or application.

• Network Access Protection (NAP): Controls access to the network based on the health status of the
device (e.g., whether the device has up-to-date antivirus software).

d. File and Print Services

• Print Spooler: Manages print jobs by storing them temporarily until the printer is ready to process
them.

• Server: This service provides file, print, and named-pipe sharing over the network, enabling devices to
access shared resources.

e. Windows Update Services

• Windows Update Service: Manages the downloading and installation of updates from Microsoft
servers to keep the system secure and up to date.

• Windows Server Update Services (WSUS): Allows administrators to manage the distribution of
updates and hotfixes within a corporate environment.

3. Windows Networking Tools

Windows provides several tools for managing and troubleshooting network connections and services:

a. Network and Sharing Center

• A GUI-based tool that allows users to view network status, set up new network connections, and
configure network adapters and sharing settings.

b. Command-Line Tools

• ipconfig: Displays network configuration, including IP address, subnet mask, and default gateway.

• ping: Tests connectivity between two network devices by sending ICMP Echo Requests.

• tracert: Traces the path that data packets take to reach a destination.

• netstat: Displays active network connections and listening ports.

• nslookup: Queries DNS servers for IP addresses associated with domain names.

4. Windows Services Management

• Services.msc: A management console that provides a graphical interface to view, start, stop, and
configure Windows services.

39
 • Task Manager: Shows currently running services and their performance impact, including resource
usage and network activity.

• PowerShell: Allows advanced users and administrators to manage services and network
configurations via command-line scripts.

5. Windows Server Roles and Features

For advanced networking, Windows Server provides additional roles and features:

• DNS Server: Provides name resolution services for devices on the network.

• DHCP Server: Manages IP address allocation for devices on the network.

• Web Server (IIS): Provides hosting for websites and web services.

• File and Storage Services: Manages network file sharing and storage.

• Hyper-V: Virtualization platform that allows running virtual machines on a network.

Summary

Windows network and services play a crucial role in communication, security, and resource management in
both personal and enterprise environments. Through Active Directory, file sharing, remote desktop, VPNs, and
other services, Windows enables users to securely and efficiently interact with network resources. The proper
configuration and management of these services ensure secure and reliable network operation.

52. OSI layer which port is to which layer?

The OSI (Open Systems Interconnection) model consists of seven layers, each responsible for a different
aspect of network communication. When it comes to port numbers, they are primarily associated with Layer 4
(Transport Layer), as that is where communication between different applications (services) is managed.
Here's how ports fit into the OSI model:

1. Layer 1 – Physical Layer

• Role: Deals with the physical connection and transmission of raw data (bits) over a medium, such as
cables or radio waves.

• Relevance to Ports: No ports are associated with this layer, as it only handles physical signals.

2. Layer 2 – Data Link Layer

• Role: Responsible for data transfer between devices on the same network segment (e.g., MAC
addresses, Ethernet).

• Relevance to Ports: No ports are assigned here, as this layer deals with hardware addressing and
error detection.

3. Layer 3 – Network Layer

• Role: Responsible for routing data between different networks (IP addresses).

• Relevance to Ports: Ports are not directly assigned here. The IP address is used to route packets to
the correct host at this layer, but ports themselves are not relevant to Layer 3. This layer uses protocols
such as IP (Internet Protocol).

4. Layer 4 – Transport Layer

• Role: Responsible for end-to-end communication, error recovery, and flow control between devices.

40
 • Relevance to Ports: Ports are directly associated with the Transport Layer. The two main transport
layer protocols that use ports are:

o TCP (Transmission Control Protocol): Ensures reliable, connection-oriented communication.

o UDP (User Datagram Protocol): Provides connectionless, faster but less reliable
communication.

Example of ports associated with Layer 4:

• Port 80: Used by HTTP (web traffic).

• Port 443: Used by HTTPS (secure web traffic).

• Port 22: Used by SSH (secure shell).

• Port 25: Used by SMTP (email).

5. Layer 5 – Session Layer

• Role: Manages sessions or connections between two systems. This layer ensures that communication
sessions are maintained, and data streams are synchronized.

• Relevance to Ports: While ports aren't directly mapped to the Session Layer, this layer uses the ports
defined at Layer 4 (Transport Layer) to maintain communication sessions.

6. Layer 6 – Presentation Layer

• Role: Deals with data translation, encryption, and compression. This layer ensures that data is in a
usable format for the application layer.

• Relevance to Ports: No ports are associated with this layer, as it focuses on how data is represented
(e.g., encryption, formatting).

7. Layer 7 – Application Layer

• Role: Provides network services directly to end-user applications. It allows users to interact with the
network (e.g., web browsers, email clients).

• Relevance to Ports: Applications running at this layer rely on port numbers defined at Layer 4 to
communicate over the network. Ports are often associated with specific services provided by
applications, such as:

o Port 21: FTP (File Transfer Protocol).

o Port 53: DNS (Domain Name System).

o Port 110: POP3 (Post Office Protocol for receiving emails).

Summary: Mapping Ports to the OSI Model

• Layer 4 (Transport Layer): This is where port numbers exist, helping to route data to the correct
application or service.

• Layer 7 (Application Layer): Ports are used by applications and services to identify specific types of
traffic (e.g., web, email, file transfer), but they are defined and handled by Layer 4.

Ports are essential for identifying specific services or applications running on a system, and they operate
primarily in the Transport Layer (Layer 4) of the OSI model.

41
53.What is a demilitarized zone?
A Demilitarized Zone (DMZ) in networking is a physical or logical subnetwork that separates an organization's
internal network (trusted zone) from external, untrusted networks, typically the public Internet. The main
purpose of a DMZ is to add an extra layer of security, ensuring that services exposed to the external world (like
web servers, email servers, or DNS servers) are isolated from the internal network.

Here's how it works:

• Public-facing servers, such as web servers, are placed within the DMZ. This setup allows these
services to communicate with external users while keeping the internal, private network safe.

• The internal network is protected from external attacks because if the DMZ is compromised, attackers
won't have direct access to the internal network. Additional security measures, such as firewalls,
control traffic between the DMZ and both the external Internet and the internal network.

In short, a DMZ acts as a buffer zone between the Internet and an organization's private network, offering an
added level of defense against potential threats.

54. Can you tell me how the networks are placed in networking company such as routers, switches,
firewalls, where are they placed and how?

In a typical networking company setup, several devices like routers, switches, firewalls, and other
components work together to ensure network traffic is efficiently managed, secured, and routed. Here's a
basic overview of how these devices are placed and their roles:

1. Internet Connection

• Role: This is the entry point where the company connects to the Internet via an Internet Service
Provider (ISP).

2. Firewall (Placed after the internet connection)

• Role: A firewall is typically placed at the perimeter of the network to filter incoming and outgoing traffic
based on predefined security rules. It blocks unauthorized access and allows legitimate traffic.

• Placement: It sits between the external (untrusted) network, like the Internet, and the internal
(trusted) network. There may also be an internal firewall to segment different parts of the internal
network.

• DMZ (Demilitarized Zone): The firewall can create a DMZ between the internal and external networks
for hosting public-facing services (like web servers).

3. Router (Usually behind the firewall)

• Role: A router is responsible for directing traffic between different networks, like connecting the
internal network to the Internet or multiple internal subnets. Routers read the IP address in packets
and decide the best path for data.

• Placement: Routers sit between the firewall and the external network (or sometimes internally
between different internal networks). For example, a router can connect the company's network to the
Internet or other remote branch offices via VPN.

4. Core Switch (In the core of the network)

• Role: Switches direct traffic between devices on the same internal network (LAN). A core switch,
which is typically high-performance, is the central point of the internal network, managing traffic
between different internal switches and routers.
42
 • Placement: Core switches are placed centrally to interconnect all internal networks, typically in the
data center, and handle large volumes of traffic between servers and end devices.

5. Access Switches (Closer to end-users and devices)

• Role: Access switches connect devices like computers, printers, and IP phones to the network. They
handle lower traffic compared to core switches.

• Placement: These are placed throughout the office spaces to provide network connectivity to various
endpoints (end-user devices like PCs and phones).

6. Servers (Can be in a DMZ or the internal network)

• Role: Servers host internal applications, databases, websites, or email services. Some servers (e.g.,
web servers) are placed in the DMZ to be accessible to external users while others are placed in the
internal network for internal use only.

• Placement: Servers are typically placed in the company's data center, with public-facing servers in the
DMZ and internal servers behind additional firewalls for security.

7. VPN Gateway (For remote access)

• Role: VPN gateways provide secure remote access for employees working outside the office. They
establish encrypted connections to ensure security.

• Placement: Often placed near the firewall or router to manage secure connections between external
remote users and the internal network.

8. Intrusion Detection/Prevention Systems (IDS/IPS)

• Role: These monitor network traffic for malicious activities and take action to block or alert on
suspicious traffic.

• Placement: IDS/IPS systems can be placed behind the firewall (inside the network) or in the DMZ to
monitor external threats before they reach internal systems.

9. Wireless Access Points (WAPs)

• Role: These provide wireless connectivity for laptops, smartphones, and other devices.

• Placement: Spread across the office space to cover areas where wireless connectivity is needed, and
they are connected to access switches.

Example Flow in the Network:

1. External Traffic: Internet traffic first hits the firewall, which filters it based on security policies.

2. If allowed, the traffic passes to the router, which forwards it to the appropriate network (DMZ or
internal network).

3. The traffic then reaches either the DMZ servers (for public services) or goes through to the internal
network where core switches direct it to the correct internal system, like servers or access switches
for end devices.

Internal Traffic:

Internal devices (like computers, phones, printers) are connected to access switches. These switches
connect to the core switch for internal communication or to access external services via the firewall and
router.

43
This layout helps ensure the network is structured for security, efficiency, and scalability. Different
departments or segments (e.g., HR, Finance, R&D) may also have dedicated subnets, each managed
separately for security.

Sure, let’s dive into each topic in detail.

SIEM (Security Information and Event Management)

• Purpose: SIEM systems aggregate and analyze security data from various sources to detect, monitor,
and respond to security threats in real time.

• Components:

o Log Management: Collects and stores log data from different sources.

o Event Correlation: Analyzes and correlates events to identify potential threats.

o Alerting: Sends notifications about suspicious activities or potential security incidents.

o Reporting: Provides reports on security incidents, compliance status, and system

performance.

• Examples: Splunk, IBM QRadar, ArcSight.

OSI Model

44
The OSI (Open Systems Interconnection) model is a conceptual framework used to understand and design
network systems. It consists of seven layers:

1. Physical Layer: Deals with the physical connection between devices (e.g., cables, switches).

2. Data Link Layer: Manages data framing, MAC addresses, and error detection (e.g., Ethernet).

3. Network Layer: Handles routing of data packets across networks (e.g., IP addresses).

4. Transport Layer: Ensures reliable data transfer and error recovery (e.g., TCP, UDP).

5. Session Layer: Manages sessions or connections between applications (e.g., establishing and
managing sessions).

6. Presentation Layer: Translates data formats between the application layer and the network (e.g.,
encryption, data compression).

7. Application Layer: Interfaces with end-user applications (e.g., HTTP, FTP, SMTP).

MITRE ATT&CK Framework

• Purpose: Provides a knowledge base of adversary tactics and techniques based on real-world
observations to help organizations understand and counteract cyber threats.

• Tactics: There are 14 tactics, each representing a different goal an attacker might achieve:

1. Initial Access: Gaining entry into a network.

2. Execution: Running malicious code.

3. Persistence: Maintaining access over time.

4. Privilege Escalation: Gaining higher-level permissions.

5. Defense Evasion: Avoiding detection.

6. Credential Access: Stealing account credentials.

7. Discovery: Gathering information about the environment.

8. Lateral Movement: Moving within the network.

9. Collection: Gathering data of interest.

10. Exfiltration: Removing data from the network.

11. Impact: Causing damage or disruption.

12. Command and Control (C2): Communicating with compromised systems.

13. Evasion: Avoiding detection by security tools.

14. Impact: Manipulating or disrupting system operations.

Cyber Kill Chain

• Purpose: Describes the stages of a cyber attack to understand and mitigate threats.

• Stages:

1. Reconnaissance: Gathering information about the target.

2. Weaponization: Creating a weapon or exploit to attack.

3. Delivery: Transmitting the weapon to the target (e.g., via email, website).
45
 4. Exploitation: Triggering the exploit to gain access.

5. Installation: Installing malware or establishing a foothold.

6. Command and Control (C2): Establishing communication with the compromised system.

7. Actions on Objectives: Achieving the attacker’s goals (e.g., data theft, system disruption).

TCP vs UDP

• TCP (Transmission Control Protocol):

o Connection-Oriented: Establishes a connection before data transfer.

o Reliable: Ensures data is delivered correctly and in order.

o Error Checking: Includes mechanisms for error recovery and retransmission.

o Use Cases: Web browsing (HTTP/HTTPS), email (SMTP), file transfer (FTP).

• UDP (User Datagram Protocol):

o Connectionless: Sends data without establishing a connection.

o Faster: Less overhead compared to TCP, no error recovery.

o Less Reliable: No guarantee of data delivery or order.

o Use Cases: Streaming (video/audio), online gaming, DNS.

Three-Way Handshake

• Purpose: Establishes a reliable TCP connection between a client and server.

• Process:

1. SYN: Client sends a SYN (synchronize) packet to initiate a connection.

2. SYN-ACK: Server responds with a SYN-ACK (synchronize-acknowledge) packet.

3. ACK: Client sends an ACK (acknowledge) packet to complete the connection setup.

IDS vs IPS

• IDS (Intrusion Detection System):

o Function: Monitors network traffic for signs of malicious activity.

o Action: Alerts administrators of potential threats.

o Deployment: Passively monitors traffic without blocking.

• IPS (Intrusion Prevention System):

o Function: Monitors and analyzes network traffic.

o Action: Actively blocks or prevents detected threats.

o Deployment: Positioned in-line with traffic to stop threats in real-time.

Different Types of Attacks

• Phishing: Deceptive emails or messages that trick users into revealing sensitive information.

• Malware: Malicious software designed to harm or exploit systems (e.g., viruses, worms, ransomware).

46
 • Ransomware: Encrypts files and demands payment for decryption.

• SQL Injection: Exploits vulnerabilities in web applications to execute arbitrary SQL commands.

• DDoS (Distributed Denial of Service): Overloads a target system with traffic to disrupt services.

• Brute Force: Attempts to guess passwords or encryption keys through exhaustive trial and error.

Analysis of Phishing Mail and Malware Analysis

• Phishing Mail:

o Check for: Suspicious URLs, spelling errors, unexpected attachments, unfamiliar senders.

o Tools: Use email security solutions and sandboxing to analyze.

• Malware Analysis:

o Behavioral Analysis: Observe how malware behaves in a controlled environment (e.g.,

sandbox).

o Static Analysis: Examine the malware code without execution.

o Dynamic Analysis: Study the malware’s actions during execution.

• Brute Force:

o Techniques: Automated tools or scripts to try multiple passwords.

o Mitigation: Implement account lockout policies, use complex passwords, employ multi-factor
authentication.

Firewall, VPN, EDR, Antivirus, WAF, Router, Switch

• Firewall:

o Purpose: Controls incoming and outgoing network traffic based on security rules.

o Types: Hardware, software, network-based, application-based.

• VPN (Virtual Private Network):

o Purpose: Creates a secure, encrypted tunnel for data transmission over a less secure network
(e.g., the internet).

o Use Cases: Secure remote access, bypassing geographic restrictions.

• EDR (Endpoint Detection and Response):

o Purpose: Provides continuous monitoring and response capabilities for endpoints (e.g.,
laptops, servers).

o Features: Threat detection, incident response, forensic analysis.

• Antivirus:

o Purpose: Detects and removes malicious software.

o Techniques: Signature-based detection, heuristic analysis, behavioral analysis.

• WAF (Web Application Firewall):

o Purpose: Protects web applications by filtering and monitoring HTTP traffic.

o Protection Against: SQL injection, cross-site scripting (XSS), and other web-based attacks.
47
 • Router:

o Purpose: Directs data packets between networks based on IP addresses.

o Function: Manages traffic within and between networks.

• Switch:

o Purpose: Connects devices within a network and uses MAC addresses to forward data.

o Function: Creates a network segment, reducing collision domains.

CIA Triad and AAA

• CIA Triad:

o Confidentiality: Ensures that information is only accessible to authorized individuals.

o Integrity: Ensures that data is accurate and unaltered.

o Availability: Ensures that information and resources are accessible when needed.

• AAA:

o Authentication: Verifies the identity of users or systems.

o Authorization: Grants or denies access to resources based on permissions.

o Accounting: Tracks user activities and system usage for auditing and compliance.

Encryption: Symmetric vs Asymmetric

• Symmetric Encryption:

o Key: Same key is used for both encryption and decryption.

o Example Algorithms: AES (Advanced Encryption Standard), DES (Data Encryption Standard).

o Pros: Faster performance, less computational overhead.

o Cons: Key distribution and management challenges.

• Asymmetric Encryption:

o Key Pair: Uses a pair of keys (public and private).

o Example Algorithms: RSA (Rivest-Shamir-Adleman), ECC (Elliptic Curve Cryptography).

o Pros: Enhanced security for key distribution, digital signatures.

o Cons: Slower performance compared to symmetric encryption.

EDR vs MDR vs XDR

• EDR (Endpoint Detection and Response):

o Focus: Endpoint security with real-time monitoring and response.

o Scope: Individual devices such as laptops and servers.

• MDR (Managed Detection and Response):

o Focus: Outsourced security service providing threat detection, incident response, and threat
hunting.

o Scope: Broader than EDR, often includes network and endpoint monitoring.
48
 • XDR (Extended Detection and Response):

o Focus: Integrates multiple security layers (network, endpoint, server, cloud) into a unified
system for comprehensive threat detection and response.

o Scope: Provides a holistic view of security across various environments.

Windows Event IDs

• 4625: Failed logon attempt.

• 4624: Successful logon.

• 4740: Account was locked out.

• 4724: Attempted reset of a user account password.

• 4720: User account was created.

• 4722: User account was enabled.

• 4688: A new process has been created.

Logon Types

• 2: Interactive logon (directly at the console).

• 3: Network logon (accessing resources over the network).

• 10: Remote Interactive logon (using Remote Desktop or similar services).

Ports and Protocols

• 21: FTP (File Transfer Protocol) – Used for transferring files between systems.

• 22: SSH (Secure Shell) – Provides secure access to remote systems; SFTP (Secure File Transfer
Protocol) – Secure file transfer over SSH.

• 23: Telnet – Unencrypted text-based communication protocol for remote access.

• 25: SMTP (Simple Mail Transfer Protocol) – Used for sending emails.

• 80: HTTP (Hypertext Transfer Protocol) – Used for web traffic.

• 443: HTTPS (HTTP Secure) – Secure version of HTTP, using encryption.

• 3389: RDP (Remote Desktop Protocol) – Allows remote access to Windows systems.

• 445: SMB (Server Message Block) – Provides file sharing and printer services.

• 389: LDAP (Lightweight Directory Access Protocol) – Used for accessing directory services.

• 123: NTP (Network Time Protocol) – Used for synchronizing clocks over a network.

49